Malware used in Target breach sold on underground forums

Target continues to be rather tight-lipped about the circumstances of the massive user datatheft and the breach of their networks that made it possible, but the few details that have been shared with the public point to the use of memory-scraping POS malware.

Nothing has yet officially been confirmed, but unnamed sources familiar with the investigation have revealed to Brian Krebs that the malware in question was one that Symantec calls “Reedum” and that it is sold on underground cybercrime forums under the name of “BlackPOS.”

“On Dec. 18, three days after Target became aware of the breach and the same day this blog broke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec,” Krebs revealed.

“Interestingly, a search in Virustotal.com — a Google-owned malware scanning service — for the term “reedum” suggests that this malware has been used in previous intrusions dating back to at least June 2013.”

Reedum or BlackPOS, which is designed to be installed on POS devices and to scrape the card data contained in their memory as soon as the cards are swiped, is being sold by its author for $1,800 (basic version) or $2,300 (full version), and is apparently capable of bypassing firewalls.

Russian security firm Group-IB has been following the activities of this individual and the group of cyber crooks he associates, and believe them to be of Russian and Ukrainian origin, and involved in many cyber criminal activities. They also believe that BlackPOS malware has been previously used in attacks against customers of several big US banks.

What’s interesting to note is that at the time the malware was installed on Target’s POS systems in late November, none of the commercial AV solutions used by VirusTotal were detecting it as such.

Another question that the unnamed sources answered regards how the criminals went about installing the malware on the POS systems.

“The attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices,” writes Krebs.

“The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” the source shared. “They basically had to keep going in and manually collecting the dumps.”

What little information was released by Target since the breach seems to corroborate these (unofficial) revelations, as the the criminals had to had access to the company’s network in order to run off with the customers’ personal information.

It also means that Triptwire’s Ken Westin made some good educated guesses about how the malware was deployed on the POS systems.